feat: backchannel logout request client tls configuration

[aarmam]

This pull request introduces feature to configure backchannel logout request client TLS min/max versions and supported cipher suites.

Feature update:

• Added insecure_skip_verify configuration option.
• Added reading proxy configuration from environment variables HTTP_PROXY and HTTPS_PROXY

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

[codecov]

Codecov Report

Merging #2875 (0c8b78a) into master (1b1899e) will increase coverage by 0.07%.
The diff coverage is 95.00%.

❗ Current head 0c8b78a differs from pull request most recent head 87e14c7. Consider uploading reports for the commit 87e14c7 to get more accurate results

@@            Coverage Diff             @@
##           master    #2875      +/-   ##
==========================================
+ Coverage   76.85%   76.92%   +0.07%     
==========================================
  Files         124      124              
  Lines        9175     9212      +37     
==========================================
+ Hits         7051     7086      +35     
- Misses       1674     1675       +1     
- Partials      450      451       +1     

Impacted Files	Coverage Δ
consent/strategy_default.go	69.72% <85.71%> (+0.21%)	⬆️
driver/config/tls.go	91.80% <100.00%> (+6.08%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[aeneasr]

Looking great! :) Could you please add a guide that explains how to use this feature in this doc: https://github.com/ory/hydra/blob/master/docs/docs/guides/logout.mdx ?

Thank you!

[aeneasr]

Thank you, this looks great! The CI is failing because some files are formatted incorrectly. To format them, run:

$ make format
$ git commit -a -m "styles: format code"
$ git push

Thank you!

[aeneasr]

While the PR is being worked on I will mark it as a draft. That declutters our review backlog :)

Once you're done with your changes and would like someone to review them, mark the PR as ready and request a review from one of the maintainers.

Thank you!

[aeneasr]

Thank you! I've got one question. This PR is currently targeting exactly one backchannel logout URL. However, most environments will have 1..n backchannel logout URLs, depending on the clients that define those URLs. To me it appears that setting this TLS configuration at a global level will be problematic if you have two or more OAuth2 clients with separate TLS configs (e.g. one special TLS config and one regular HTTPs with a public certificate).

What's your take on this?

[aarmam]

This PR is currently targeting exactly one backchannel logout URL. However, most environments will have 1..n backchannel logout URLs, depending on the clients that define those URLs.

This is how its implemented before this PR also - global golang default for all backchannel requests?

To me it appears that setting this TLS configuration at a global level will be problematic if you have two or more OAuth2 clients with separate TLS configs (e.g. one special TLS config and one regular HTTPs with a public certificate).

And I did not add this problem with current implementation?

Just reiterating my thoughts so I'm not missing anything: :)

• If client.default.tls/client.back_channel_logout.tls are not set, then golang defaults are used like previously (?)
• If client.default.tls is set, then the settings are merged with golang default settings and would be used for all Hydra clients, that decide to use this functionality.
• If only client.back_channel_logout.tls is specified, then only backchannel client will have custom tls configuration merged with golang default settings.
• If both client.default.tls/client.back_channel_logout.tls are set, then backchannel client will have default and fallback settings merged with golang default settings.

This is functionality is MVP for us, but it could be further extended to check client specific settings when iterating over clients in executeBackChannelLogout() and it would not go in conflict with current implementation - in contrary would give possibility to further override these global settings when needed?

[aeneasr]

Thank you @aarmam as always for your great contributions! After thinking about this for quite some time, I don't think that we should merge this feature upstream. The reason is the following:

The backchannel logout URL is something that is configured on a per-client basis. Adding a config option which allows us only to configure a global TLS certificate does not really match the underlying principle that an authorization server can have almost unlimited backchannel logout targets.

If we were to introduce this, we would need to keep for backwards compatibility and also add to Ory Network. Therefore, we can't merge the feature as is.

One option is to add this feature to the client configuration. However, I think that the backchannel logout URL should use TLS with a trusted certificate, and not trust untrusted certificates. To work around this on local environments, one could use Caddy or something similar to add a trusted CA to the OS certificate store, or set up LE in staging environments.

So generally speaking, I don't think we should add TLS exceptions here. It will only open questions like: Why does JWKs fetching not have a custom TLS certificate? Or webhooks, or feature X, Y, Z

[aarmam]

Thank you @aarmam as always for your great contributions!

Thanks! :)

Adding a config option which allows us only to configure a global TLS certificate does not really match the underlying principle that an authorization server can have almost unlimited backchannel logout targets.

This is actually not what this pr introduces. I'll give you an example:

client.default.tls:
  min_version: tls12
  max_version: tls13
  cipher_suites:
    - TLS_AES_128_GCM_SHA256
client.back_channel_logout.tls:
  cipher_suites:
    - TLS_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

This configuration limits all outgoing TLS connections to use min/max tls versions and specified cipher suites - thats all this pr introduces. It does not configure global TLS certificate nor trusted certificates - just global outgoing connection settings for min/max tls version and cypher suites.
In this example client.back_channel_logout.tls.cipher_suites overrides client.default.tls.cipher_suites.